NTBackup File (BKF)

From ForensicsWiki
Jump to: navigation, search

BKF is the proprietary Backup Format generated by the default Windows NT backup application, NTBackup. The utility first came into being with Windows NT during the 1997. Later, it became a part of the succeeding versions, Windows XP, 2000, and 2003. BKF file format is utilized for storing the replica of files stored on Windows NT version of systems. The application NTBackup uses the file for backing up data on storage media devices like; ZIP drives, Tapes, hard drive, or floppy disk, and so on.

Overview

Windows Backup Format file was first introduced with the launch of NTBackup utility with Windows NT in the year 1997. The backup file generated by the application consisted of the replica for data/files present on a Windows machine. The NTBackup tool also comes integrated with certain features that support automated backup of data via Task Scheduler and command based switches.

The utility was later replaced by Windows Backup & Restore center and Windows Server Backup in Windows versions later to Vista and Server OS versions, respectively.

NTBackup uses MFT, i.e. Microsoft Tape Format when used with Tape Drives. The file is compatible with BKF.

File Structure

First offset of an NTBackup BKF file when checked on a hex editor shows the complete details of the backup consisting of:

  • Type of backup
  • Starting date and time of backup
  • Ending date and time of backup
  • Utility used for backup

Backup Types

BKF file generation when done with NTBackup utility takes place on the basis of specified backup type. The application features five different backup types that back up files differently.

Normal Backup as the name suggests, offers normal backup of the complete data present on the machine. Thus, the BKF file generated through this may consists of both user data as well as system files.

Incremental Backup increases the BKF file contents by adding up data created / modified since the last time backup was updated.

Copy Backup generates BKF with selected data or files only. This kind of BKF file acts as a backup between backups.

Differential Backup works somewhat like Incremental backup, i.e. updates data created/modified since the last time a normal/incremental backup took place. However, unlike Incremental Backup, Differential Backup is not programmed to clear archive attribute.

Daily Backup updates files to the BKF which were modified or created on the basis of each day.

Support in Above Versions

Windows, in its later versions replaced NTBackup with Windows Backup and Restore. The new backup applet no longer served support for tape drives or old backup formats. Microsoft, however, made the provision of NTBackup for latest Windows versions for reading or restoring legacy backup files on Windows Vista, Win7, or Server versions. Therefore, to access backup file (BKF) on later versions of Windows, it is necessary to either copy the NTBackup cabinet files to the respective machine or use a commercial solution to restore/access the BKF file respectively.

Support for Corrupt BKF

File size is a common matter of concern with BKF files that often results in its corruption. On exceeding the standard storage limit, a backup file is likely to become corrupted. As a result erroneous messages are probable to appear stating the file as ‘unusable’ or ‘unrecognized’. Microsoft has released no revisions of the NTBackup utility for the reading or restoring of a corrupted backup file (BKF). Therefore, the last resort is a commercial solution that can mount a backup file in both; healthy as well as corrupt state. There is an ample of freeware software programs available for reading a Windows NTBackup BKF file in corrupt state. These applications in particular apply recovery algorithms while loading/scanning the file on platform before displaying its contents.

Tools